Privacy statement

DLL collects and processes personal data relating to individuals, including but not limited to our customers and suppliers. The privacy and the protection of personal data is important to DLL. This Privacy Statement outlines in a transparent manner how we collect and use personal data and meet our data protection obligations.

For questions related to this Statement or the processing of personal data in general, please contact us via: gdpr.nordics@dllgroup.com

  • This privacy statement applies to you, if your personal data is processed by us:

    • as a customer (i.e., end-user), if we provide, or offer to provide to you, a financial solution.
    • as a partner (i.e., an organisation that refers customers to us, or an organisation that works with us, to develop and supply our financial products), if we seek to create or have a relationship with you.
    • as a supplier, in the course of receiving products, services, or offers from you.
    • as a customer, partner, supplier or other individual when you visit one of our websites, online applications or our offices.

    Within the different groups, as identified above, we may apply different forms of processing. If such differentiation is applicable and deemed relevant by us, we will mark that out in this privacy statement.

    This privacy statement only applies to our customers, partners, suppliers and our online visitors and office visitors. If you are a job applicant or employee, you will be provided with another privacy statement covering how we manage your personal information for that relationship.

     

  • As a customer, partner, or supplier, you must not provide us with more personal information of yourself, your employees, representatives, clients, or Ultimate Beneficial Owners (UBOs) than we might need for a given purpose.

    You must also inform your employees, representatives, clients, or UBOs about your intention to transfer their personal information to us. You may refer them to this privacy statement so that they can learn how and why we process their personal data.

  • Our contact information is:

    De Lage Landen Finans AB, Sweden
    Address: Kungsgatan 36, 111 35 Stockholm
    Postal address: Box 7754, 103 96 Stockholm
    Telephone: +46 8 781 0600
    Organisation number: 556203-0576
    Supervisory Authority: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten)

    We are a wholly owned subsidiary of De Lage Landen International B.V., which is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (“Rabobank” and together with its subsidiaries, the “Rabobank Group”).

    A Data Protection Officer (“DPO”) has been appointed for De Lage Landen International B.V. and its subsidiaries (“DLL Group”). The DLL Group DPO can be contacted by email via privacyoffice@dllgroup.com.

  • “Personal data” is any information directly or indirectly relating to an individual, or any information that can be used to identify an individual.

    Personal data is “processed” when any activity is undertaken on your personal data, such as collection, storage, access, use, transfer, disclosure, and deletion.

    For customer, partner, and supplier relationships, the personal data DLL processes mainly consists of information relating to the customer’s, partner’s, or supplier’s directors, representatives, and, if applicable, UBOs. This is because DLL predominantly enters into customer, partner, and supplier relationships with legal persons (e.g., limited liability companies and corporations), rather than with individuals. But we also process personal data of organizations which are considered to be natural persons (e.g., sole proprietorships and specific partnerships with natural persons participating).

    As part of these relationships, we may process the following personal data:

    Contact and identification data
    Your name, address, telephone number, (business) e-mail address, copy of ID, date of birth, business VAT number (if applicable), and copy of proof of residency.

    Contract/agreement data
    Contract number, contract duration, information concerning your financial situation, payment history, bank account details, risk profile, our products or services, and the process of obtaining financial services.

    Data used to ensure your and our security, to prevent and investigate fraud, and to prevent money laundering and financing of terrorism
    Personal data that are processed in the external and internal referral registers of Rabobank and any personal data processed in relation to credit reference agencies and in national and international sanctions lists.

    Recorded calls, recordings of video chat and online chat sessions, video surveillance, and documentation of e-mails
    Information concerning our conversations via telephone or in online chat sessions, inbound and outbound e-mail communications, and camera images that we record in our offices.

    Data related to the use of our websites and online applications
    Cookies or similar tracking technologies may collect your IP address, data about the applications and devices you use to visit our website and online applications.

     

  • We may collect special categories of personal data which are considered more sensitive, such as information relating to your racial or ethnic origin, criminal history, and health/biometric data. We will only process these special categories of personal data if necessary for the applicable purposes, as further described below.

    Race or ethnic background
    For tax purposes and for certain anti-terrorism reasons, we are required to record information about your country of birth. We may also have/take/store your photograph or film you on our CCTV (closed-circuit television) if you visit our offices. However, we do not register your race or ethnic background, and we do not use race or ethnic background to make decisions.

    Personal data concerning criminal convictions
    We may process data related to your criminal record or criminal convictions in the context of anti-money laundering, fraud prevention, and regulatory reporting which may be obtained from open sources (e.g. media searches) or national sanction, fraud and crime prevention databases.

    Biometric data
    If you have registered your fingerprint for log-in purposes in any electronic application operated by us, we may process your biometric data for this purpose.

  • Data protection and privacy laws require us to have a lawful ground for processing your personal data. Depending on the purposes for which we process your personal data, the lawful ground may differ.

    Consent
    You give us your permission to use your data. You are always free to withdraw your consent.

    Legal obligation
    Legally, we are obliged to process your personal data.

    Contractual necessity
    We need your personal data to enter into a contract with you and comply with our contractual commitments to you.

    Legitimate interest
    We have a legitimate interest in processing your personal data, which is not outweighed by your interests, fundamental rights, and freedoms. For example, DLL has a legitimate interest in processing your personal data when requesting you to complete a survey on how we can improve our services.

  • When you (as a customer or a partner on behalf of a customer) obtain a quote from us to finance an asset
    You may contact us directly for a quote for a finance product, such as a lease, hire purchase, or loan, in relation to an asset you are purchasing, or one of our partners may contact us to provide you with a quote. Minimal personal data, often limited to company name, is collected along with the information about the asset you are buying to provide a provisional quote. We will also process the contact details of the partner who obtains the quote from us.
    Lawful ground: Contractual necessity

    When you (as a customer or a partner on behalf of a customer) make an application for a finance product
    If a quote is accepted and you wish to make an application, we need to process your personal data, such as your company name, contact details, company information, bank details, identity verification, and any supporting evidence requested by us. We will also process the contact details of the partner who sends an application to us.
    Lawful ground: Contractual necessity

    When we establish a new relationship with you as a partner or supplier
    If we establish a new partner or supplier relationship, then we will process the personal data of the relevant employees and the representatives of that partner or supplier in the administration of the new relationship and as part of our due diligence checks.
    Lawful ground: Contractual necessity

    When we undertake credit decisions
    We assess your credentials from a risk perspective and validate whether you can fulfil the payment obligations under the contract. This method is called credit decisioning, which is based on an automated process and uses data collected from publicly available sources and credit reference agencies. More details are described in Chapter 8.

    In some instances, we will also review your payment history of any prior contractual relationships you have with us or the Rabobank Group and may request further information to evidence the financial status of your company to assist in this decision making. This may include company reports, bank statements, and data pulled from public websites.

    We also undertake credit checks on partners and suppliers to manage the financial risk of our business.
    Lawful ground: Contractual necessity

    When we undertake KYC/AML, identity verification, and integrity checks
    We must confirm the identity of our customers, our partners, their representatives, and UBOs to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. We may do this by making a copy of identity documents, which we will only use for identification and verification purposes.

    We also consult available external and internal referral registers of Rabobank, incidents registers and warning systems, and national and international sanctions lists.

    We undertake these checks as part of any contract negotiation and once a contract is live we will continue this monitoring on a regular basis.
    Lawful ground: Legal obligation

    When we activate a contract and make payments for the asset(s) we are financing or the products and services we are acquiring
    We will undertake final checks on the contract documentation, reviewing payment details and signature screening, before making payments to either our customers or partners for the financed asset or our suppliers for products or services purchased.
    Lawful ground: Contractual necessity

    For the prevention of Fraud
    We maintain a register of suspected and actual fraud cases in order to protect our interests by limiting business that may be exposed to fraud activity.
    Lawful ground: Legitimate interest

    When we send invoices to our customers and receipt payments
    We undertake daily payment reconciliations to ensure customer accounts are paid on time and in line with the contractual provisions.
    Lawful ground: Contractual necessity

    When we collect payments of our customers
    We will collect your bank details to set up regular payments in accordance with your contract terms. Card payment details may also be processed for one-off payment collections.
    Lawful ground: Contractual necessity

    If customers fail to make payments on time
    If you do not adhere to your contract requirements, we will contact you to seek solutions if arrears should emerge and collect outstanding payments.
    Lawful ground: Contractual necessity

    When we collect or recover an asset of our customers
    If you do not adhere to the contract terms, in some cases we may employ specialist debt collection and recovery agents to recover the asset and any amounts outstanding on the account.
    Lawful ground: Contractual necessity

    Account management and contract management for customers, partners and suppliers
    We process your personal data to establish and maintain our business relationship with you. For customers, we process your personal data to inform you about the remaining term or outstanding obligations on your contract.
    Lawful ground: Contractual necessity

    When our customers require insurance for their asset and/or submit a claim
    If your contract terms require that the asset is insured, we will provide your contact details to our insurer unless you arrange alternative insurance cover. When a claim is made for an asset that we own, we will submit the claim to the insurer and keep you updated throughout the insurance claim process. We also process the contact details of a partner that forwards a claim to us on behalf of the customer.
    Lawful ground: Contractual necessity

    When we remarket and resell an asset of our customer
    We may remarket an asset that we have previously leased to you. Any assets that are remarketed that can store any type of data or information have all data wiped prior to the asset being resold. If you purchase an asset from us, we will process your contact and payment details to effect the asset sale.
    Lawful ground: Legitimate interest (Remarketing) / Contractual necessity (reselling & data wiping)

    If you have a query on your contract
    We will process your personal data if you contact us with a query about your contract. If you call our Customer Service team, we record these calls for monitoring and improvement purposes.
    Lawful ground: Contractual necessity (managing queries) and Legitimate interest (call recording)

    When we ask you for feedback
    We may ask you to rate our services whenever we interact with you by email, or we may send you separate feedback requests (e.g., a feedback questionnaire) so that we can understand where we can make improvements.
    Lawful ground: Legitimate interest

    If we send you mail
    If we need to send you hard copy documents via a postal service, we will share your name and contact details with the postal service provider.
    Lawful ground: Contractual necessity

    When we contact you about similar products or services
    Where we have an existing customer relationship with you, we may contact you to make you aware of products or services that are similar and may be of interest.
    Lawful ground: Legitimate interest

    When we undertake direct marketing
    If you are a potential new customer, we may contact you to make you aware of our products and services.
    Lawful ground: Legitimate interest

    When we share customer information with our partners to manage the relationship
    We may share details of your asset purchase and contract details such as term as well as start and end dates with the partner who introduced you as a customer to DLL.
    Lawful ground: Legitimate interest

    When we build business relationships with new customers, partners and suppliers
    We may obtain your contact and company details via our relationship with an intermediary with whom you have or had a business relationship, via Rabobank Group or via internet searches of publicly available information.
    Lawful ground: Legitimate interest

    To manage our risk
    Based on Swedish laws, we are legally obliged to develop risk models, which can include personal data. This allows us to determine our risks, as well as the extent of the financial buffer we must hold, when providing financial services. These risk models calculate the chances of you getting in arrears. These enable us to prevent possible payment difficulties and/or handle these faster. We independently review the financial products we provide and our risk exposure to ensure fiscal responsibility.
    Lawful ground: Legal obligation / Legitimate interest (when law does not specifically sets out we need to process personal data to meet this obligation)

    For our financial planning, audits, regulatory, and internal reporting
    We use personal data of our customers to populate aggregated reports which are required for financial and regulatory reporting. We also use aggregated data to construct strategic plans and develop and enhance our business processes.
    Lawful ground: Legal obligation (audits and regulatory reporting) / Legitimate interest (planning and internal reporting)

    If a company merger, acquisition, or divestment takes place
    If we acquire, merge, or divest one of our business entities, we will process your personal data to transfer your contract to the relevant entity.
    Lawful ground: Contractual necessity

    In the transfer of receivables/securitization
    If we transfer our agreement with you to another financial institution, our agreement is taken over, or if a merger or demerger occurs, your personal data may be processed by a third party acquiring your contract with us, however, it will be a condition of any such transfer that such third party agrees to comply with applicable data protection and privacy laws.
    Lawful ground: Contractual necessity

     

    We process the personal data of visitors of our websites, online applications (e.g. portals, mobile apps) and offices for a variety of purposes.

    When you visit our websites and online applications
    We operate cookies or similar tracking technologies on our websites and online applications to ensure they function correctly. You can read more about how we use cookies or similar tracking technologies in our Cookie Statement.
    Lawful ground: Consent

    If you access an online account on our online applications
    If you are given a log in to a DLL customer or partner online web portal or mobile application, we will process your contact details and provide you with security credentials to enable you to access your account. Cookies and tracking technologies are in operation on these sites which you can read more about in our Cookie Statement.
    Lawful ground: Legitimate interest

    To manage our facilities
    If you visit a DLL office, we operate CCTV and ensure access to offices is managed securely. Your image is captured by our CCTV systems and your contact details are recorded to provide you access to our offices via a secure pass.
    Lawful ground: Legitimate interests

     

    In addition, we may process the personal data of anyone who interacts with us for legal, compliance and business improvement purposes

    To develop and improve our systems and processes
    We may process personal data to develop and improve our systems and processes. When we test new systems, we will aggregate, anonymize, or scramble data so that it is no longer identifiable.
    Lawful ground: Legitimate interest

    To manage and evidence our compliance with data protection and privacy laws
    If you exercise any of your rights under data protection and privacy law, we will process your data to manage your request. If we experience a data breach, we will process the data of impacted individuals as required to mitigate risk and inform you of a breach where it is required.
    Lawful ground: Legal obligation

    If you make a complaint
    We will process your contact details and any supporting information to administer, investigate, and respond to your complaint.
    Lawful ground: Legal obligation

    When we make or receive a legal claim
    We will process personal data if we make or receive a legal claim in respect of the contract we have with you. We may share your personal data with legal specialists for the purpose of defending our legal rights.
    Lawful ground: Legal obligation

    For legal and regulatory compliance purposes
    In some cases, we may be instructed by relevant government or supervisory authorities to process or share your personal data to comply with a regulatory requirement, court order or assist with an investigation.
    Lawful ground: Legal obligation

  • To improve our efficiency, we use process automation. For instance, we rely on algorithms to help us with credit scoring, development of risk models, and creation of so-called scorecards. Whenever we use algorithms or automation we do not solely rely on the outcome of the algorithms or automations for a decision in all cases. Instead, when requested, we ensure human oversight and involvement. For example, where a credit scoring algorithm produces a negative outcome and a customer or partner requests a review, a trained and experienced member of staff will review the outcome and base the final decision on their judgement.

  • DLL is subject to the Rabobank Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”). This means we must meet minimum standards in the collection and processing of personal data.

    DLL is committed to taking the necessary organisational and technical measures to protect your personal data when we process it and share it with third parties. These include:

    • All our employees are subject to confidentiality obligations to ensure the adequate protection of your personal data.
    • We use appropriate security measures to ensure the confidentiality, integrity, and availability of your data, as well as certifying systems and services which are resilient and are able to restore data in the event of a data loss.
    • Where possible, we aim to secure your personal data by lessening or removing personally identifying elements.
    • We regularly evaluate the effectiveness of our technical and organisational measures to ensure continuous improvement in the security of processing personal data.
    • We usually only process your personal data for the purposes for which these were originally collected. Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose closely relates to the original purpose.
    • When we share your data with third parties outside of the Rabobank Group, we perform due diligence and thorough assessments of those parties and verify the secure processing of your personal data by way of contractual terms and conditions.

    The Rabobank Privacy Codes are available on our website

  • Sometimes we may have a clear and legitimate reason to share your data with other parties.

    Sharing data within the DLL Group
    As a global organization personal data may be transferred to other entities in the DLL Group who provide operational support enabling the delivery of better customer services. An example of this is when operational support is provided by our shared service center based in India. We also provide products and services to global partners and customers and collaborate across the various DLL entities to deliver global solutions.

    Sharing data within the Rabobank Group
    DLL is a wholly owned subsidiary of Coöperatieve Rabobank U.A., a Dutch Bank with registered office in Amsterdam, the Netherlands (“Rabobank”). The “Rabobank Group” consists of Rabobank plus all its subsidiaries. There may be times when we share personal data with Rabobank or other Rabobank Group entities. For instance, you may be a customer of Rabobank and DLL, respectively, and we might share your data internally to avoid a duplication of your efforts. Alternatively, we may share your data with Rabobank (or vice versa) if we think they might have a financial product that might be of interest to you.

    Sharing data outside the Group
    Like any other company, we rely on the services of third parties.

    When we engage specialist suppliers, consultants, or contractors to assist us in running our business, we may share your personal data with them where it is necessary for the service they provide to us. For instance, we may use a third party to perform a background screening or credit checks on our behalf or use services hosted in a third party cloud environment.

    Any third party that we employ is checked to ensure they are reliable, and we only engage them where they enter into a proper contract with us and implement appropriate security and other measures to guarantee that your personal data remains confidential.

    When legally obligated to do so, we will share your personal data with government authorities, regulators or supervisory authorities, and law enforcement agencies.

  • Your personal data may be transferred to a country outside the UK or European Economic Area (EEA) that provides a lower level of protection to personal data than the legislation in the UK or EEA.

    Transfers within the Rabobank Group
    When we share your data with other entities of the Rabobank Group that are in countries other than the country in which your personal data was originally collected, we rely on the Rabobank’s Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”) which are a set of rules that all Rabobank Group entities must comply with to ensure an adequate level of protection for your personal data. Because of these codes, the same rules apply to all entities of the Rabobank Group, permitting us to share data within the Rabobank Group. The Rabobank Privacy Codes are available on our website.

    Transfers outside the Rabobank Group
    When we transfer your data to a third party located in a country outside the UK or EEA that provides a lower level of protection for personal data, we take extra measures to protect your data.

    We will apply additional safeguards so that your data is protected to the same level as the data protection and privacy laws in the UK. This includes undertaking transfer impact and risk assessments, implementing contractual measures approved by the UK Information Commissioner’s Office and implementing other extra security measures where needed.

  • We do not store your personal data for longer than we need to achieve the purposes for which we have collected it or for the secondary purposes for which we reuse it.

    We have a retention policy which specifies how long we store data. In most cases, this is 10 years after the end of the contract or your relationship with DLL. Sometimes this period is longer, for example, if a supervisory authority asks us to do so, if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving or legal proceedings. Sometimes we use shorter retention periods, for example for telephone call and camera recordings.

    We have implemented appropriate technical and organizational measures to ensure that only people that have a right to access your information can access it. For example, our marketing department has access for a shorter period compared to our tax department.

    We will delete personal data at an earlier time if you request us to delete your personal data, unless another law prevails.

  • Your rights concerning the processing of your personal data:

    Access and Rectification
    You can ask us to access the personal data we hold about you. Where you believe that your personal data is incorrect or incomplete, you can ask us to correct or add more detail to your personal data.

    Erasure
    You can ask us to erase your personal data processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will fulfill your request.

    Restriction
    You can ask us to limit the personal data we hold about you. We may refuse this type of request if we have a lawful reason to continue holding your personal data (e.g., the exercise of a contract, a legal archiving duty, or the establishment, exercise, or defense of legal claims).

    Portability
    You have the right to ask us to provide to you a copy of your personal data in a structured and machine-readable format or to transfer your personal data on your behalf to a third party. Transfer of personal data directly to a third party can only be done if it is technically possible.

    Objection
    You have the right to object to the processing of your personal data. If you object to our processing of your information, we will stop the processing where there is no overriding legal or regulatory requirement. If an overriding requirement exists, we will inform you of this.

    Consent withdrawal
    If you have given your consent to us to process your personal data, you can withdraw your consent at any time. We will stop any processing allowed solely by consent within 30 days of receiving your request.

  • For questions related to this privacy statement, please contact our local privacy officer or local compliance officer via: gdpr.nordics@dllgroup.com

    If you would like to exercise any of your rights, please do so by completing this form:

    Submit a Request or Complaint

    We will respond within one month after we have received your request. In some cases, however, we may need to extend this period for up to another 2 months. We may need to ask you for some additional details to clarify your request or provide verification of your identity.

    We will do our best to handle your request, question, or complaint quickly and efficiently.

    If you are unhappy with how we handle a request, question, or complaint, you can contact the Swedish Authority for Privacy Protection at www.imy.se or write to them at:
    Integritetsskyddsmyndigheten
    Box 8114
    104 20 Stockholm

  • This privacy statement will be updated from time to time in case of additional legal requirements or if we process personal data for new purposes.